scheduler/appengine/engine/engine.go - Issue 2993953002: scheduler: make debug output for ACLs checks contain JobID.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: scheduler/appengine/engine/engine.go

Issue 2993953002: scheduler: make debug output for ACLs checks contain JobID. (Closed)

Patch Set: Created 3 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: scheduler/appengine/engine/engine.go

diff --git a/scheduler/appengine/engine/engine.go b/scheduler/appengine/engine/engine.go

index c85184b0a6bc1bbfbb00a5f3fb1c3110cdccd60b..385a9ffafe8e61945f1984da07173ca4ef36d077 100644

--- a/scheduler/appengine/engine/engine.go

+++ b/scheduler/appengine/engine/engine.go

@@ -352,6 +352,16 @@ func (e *Job) matches(def catalog.Definition) bool {

bytes.Equal(e.Task, def.Task)

}

+// isVisible checks if current identity has READER access to this job.

+func (e *Job) isVisible(c context.Context) (bool, error) {

+ return e.Acls.IsReader(logging.SetField(c, "JobID", e.JobID))

+// isOwned checks if current identity has OWNER access to this job.

+func (e *Job) isOwned(c context.Context) (bool, error) {

+ return e.Acls.IsOwner(logging.SetField(c, "JobID", e.JobID))

// Invocation entity stores single attempt to run a job. Its parent entity

// is corresponding Job, its ID is generated based on time.

type Invocation struct {

@@ -664,7 +674,7 @@ func (e *engineImpl) queryEnabledVisibleJobs(c context.Context, q *ds.Query) ([]

}

// TODO(tandrii): improve batch ACLs check here to take advantage of likely

// shared ACLs between most jobs of the same project.

- if ok, err := job.Acls.IsReader(c); err != nil {

+ if ok, err := job.isVisible(c); err != nil {

return nil, transient.Tag.Apply(err)

} else if ok {

filtered = append(filtered, job)

@@ -680,7 +690,7 @@ func (e *engineImpl) GetVisibleJob(c context.Context, jobID string) (*Job, error

} else if job == nil {

return nil, ErrNoSuchJob

}

- if ok, err := job.Acls.IsReader(c); err != nil {

+ if ok, err := job.isVisible(c); err != nil {

return nil, err

} else if !ok {

return nil, ErrNoSuchJob

@@ -696,7 +706,7 @@ func (e *engineImpl) getOwnedJob(c context.Context, jobID string) (*Job, error)

return nil, ErrNoSuchJob

}

- switch owner, err := job.Acls.IsOwner(c); {

+ switch owner, err := job.isOwned(c); {

case err != nil:

return nil, err

case owner:

@@ -704,7 +714,7 @@ func (e *engineImpl) getOwnedJob(c context.Context, jobID string) (*Job, error)

}

// Not owner, but maybe reader? Give nicer error in such case.

- switch reader, err := job.Acls.IsReader(c); {

+ switch reader, err := job.isVisible(c); {

case err != nil:

return nil, err

case reader:

« no previous file with comments | « no previous file | no next file » | no next file with comments »